Save the legacy session id in the client, and enforce that it is returned

the same from the server. ok jsing@ tb@
author: beck <> 2020-01-23 06:15:44 +0000
committer: beck <> 2020-01-23 06:15:44 +0000
commit: 932b432c3b9e9c407ff00712d9587cdd1bdfd76a (patch)
tree: ffc60c78456130825a15045a1cef8731c2786b40
parent: dfacc34b5531758fbd9129e03771aa661e80e93e (diff)
download: openbsd-932b432c3b9e9c407ff00712d9587cdd1bdfd76a.tar.gz
openbsd-932b432c3b9e9c407ff00712d9587cdd1bdfd76a.tar.bz2
openbsd-932b432c3b9e9c407ff00712d9587cdd1bdfd76a.zip
2 files changed, 18 insertions, 7 deletions
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 8649f651fa..2c774a3d77 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.253 2020/01/23 03:17:40 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.254 2020/01/23 06:15:44 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -469,6 +469,10 @@ typedef struct ssl_handshake_tls13_st {
        /* Preserved transcript hash. */
        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
        size_t transcript_hash_len;
+        /* Legacy session ID. */
+        uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+        size_t legacy_session_id_len;
 } SSL_HANDSHAKE_TLS13;
 typedef struct ssl_ctx_internal_st {
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 1d59f33279..cab113b8c3 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.29 2020/01/23 02:24:38 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.30 2020/01/23 06:15:44 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -157,7 +157,6 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
        CBB cipher_suites, compression_methods, session_id;
        uint16_t client_version;
        SSL *s = ctx->ssl;
-        uint8_t *sid;
        /* Legacy client version is capped at TLS 1.2. */
        client_version = ctx->hs->max_version;
@@ -170,12 +169,15 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
                goto err;
        /* Either 32-random bytes or zero length... */
-        /* XXX - session resumption for TLSv1.2? */
+        arc4random_buf(ctx->hs->legacy_session_id,
+            sizeof(ctx->hs->legacy_session_id));
+        ctx->hs->legacy_session_id_len = sizeof(ctx->hs->legacy_session_id);
        if (!CBB_add_u8_length_prefixed(cbb, &session_id))
                goto err;
-        if (!CBB_add_space(&session_id, &sid, 32))
+        if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
+            ctx->hs->legacy_session_id_len))
                goto err;
-        arc4random_buf(sid, 32);
        if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
                goto err;
@@ -315,7 +317,12 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                ctx->hs->server_version = legacy_version;
        }
-        /* XXX - session_id must match. */
+        /* The session_id must match. */
+        if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id,
+            ctx->hs->legacy_session_id_len)) {
+                ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+                goto err;
+        }
        /*
         * Ensure that the cipher suite is one that we offered in the client
author	beck <>	2020-01-23 06:15:44 +0000
committer	beck <>	2020-01-23 06:15:44 +0000
commit	932b432c3b9e9c407ff00712d9587cdd1bdfd76a (patch)
tree	ffc60c78456130825a15045a1cef8731c2786b40
parent	dfacc34b5531758fbd9129e03771aa661e80e93e (diff)
download	openbsd-932b432c3b9e9c407ff00712d9587cdd1bdfd76a.tar.gz openbsd-932b432c3b9e9c407ff00712d9587cdd1bdfd76a.tar.bz2 openbsd-932b432c3b9e9c407ff00712d9587cdd1bdfd76a.zip